Analyzing Security Settings for Assemblies
When an assembly does not seem to run properly, it might be because you have not granted it sufficient permissions to execute correctly. You can use Caspol.exe to identify problems that an assembly might have with respect to the security policy system. Caspol.exe offers the following analysis features:
- Viewing the code groups that apply to a particular assembly.
- Viewing the permissions that apply to a particular assembly.
You can use Caspol.exe to analyze the following problems that might occur with assemblies:
- An assembly does not run.
- An assembly accesses protected resources or runs when it should not.
Viewing the Code Groups that Apply to an Assembly
Sometimes, unintended security settings apply to an assembly because it mistakenly belongs or does not belong to some code group. Such side effects can occur when code groups are added to or deleted from policy levels. To make it easier to find such problems in the policy levels' code group hierarchies, you can list all the code groups an assembly belongs to.
To list the code groups an assembly belongs to
- Type the following command at the command prompt:
caspol [-enterprise|-machine|-user|-all] –resolvegroup assembly-file
Specify the policy-level option before the –resolvegroup option. If you omit the policy-level option, Caspol.exe shows all policy levels.
The following command lists the code groups that
MyAssembly.dllbelongs to at the user policy level.
caspol –user –resolvegroup MyAssembly.dll
Viewing the Permission Set that Applies to an Assembly
Code is granted a set of permissions based on evidence about the code. Each policy level grants a set of permissions to code. The effective permission set that the security policy grants to code is determined by the intersection of the permission sets granted by the machine and user policies. You can use Caspol.exe to view the permission set granted to an assembly by a particular policy level. You can also use Caspol.exe to view the permission set that results from the intersection of the permission set granted by the machine and user policies.
To see the permission set for a particular assembly
- Type the following command at the command prompt:
caspol [-enterprise|-machine|-user|-all] –resolveperm assembly-file
Specify the policy-level option before the –resolveperm option. If you omit the policy-level option, Caspol.exe shows the intersection of all policy levels.
The following command requests a list of permissions that apply to
MyApplication.exeat the user policy level.
caspol –user –resolveperm MyApplication.exe
Analyzing Problems with an Assembly that Does Not Run
There are a variety of reasons why an assembly might not run. For example, it might not have sufficient permissions to run properly. The following process outlines the steps you might perform to analyze this problem:
- Use the –all and the –resolveperm options to determine the permissions that policy grants to the assembly:
caspol –all –resolveperm assembly-file
Determine whether the assembly has the right to execute by checking whether the execution flag is set in the SecurityPermission class. If the assembly has execution rights, the security permission set will be unrestricted, or the flags attribute will include the execution flag.
If the assembly must access a protected resource, (for example, to access a disk, create windows, write to the registry, and so on), check whether the appropriate permissions are set.
- Because the permissions granted by the enterprise, machine, and user policy levels intersect, a permission must be set at all levels for an assembly to receive it. If the assembly has insufficient permissions, check the permissions granted to the assembly at each policy level:
caspol –enterprise –resolveperm assembly-file
caspol –machine –resolveperm assembly-file
caspol –user –resolveperm assembly-file
- If the assembly is part of a code group whose membership condition is too restrictive, or whose associated permission set does not contain the permissions needed for the assembly to function, the assembly cannot run properly. If the permissions granted to the code are insufficient, you can create a new code group that grants the assembly the permissions needed.
You can also modify either the associated permission set or the membership condition of one of the existing code groups so that the assembly receives the appropriate permissions. For more information about how to do this, see Changing a Code Group.
Analyzing an Assembly that Accesses Protected Resources or Runs When it Should Not
If an assembly runs but should not, or if an assembly accesses resources that it should not access (such as resources required to create dialog boxes), the assembly has probably been granted too many permissions.
Use the –resolveperm option to determine which permissions the assembly has been granted. Then use the –resolvegroups option to determine which code groups it belongs to. Change either the membership conditions or the associated permission sets of the associated code groups to limit the permissions granted to the assembly.
Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe) | Resolving Security Policy Issues Using Caspol.exe | Security Policy Model | Code Access Security Policy Tool (Caspol.exe)